Welcome to the SecAware blog

I spy with my beady eye ...

28 Feb 2018

NBlog March 1 - Invasion of the Cryptominers

That's it, we're done! The 2018 malware awareness module is on its way to NoticeBored subscribers, infecting customers with ... our passion for the topic.

There are 28 different types of awareness and training material, in three parallel streams as always:

Stream A: security awareness materials for staff/all employees
1.      Train-the-trainer guide on malware
MS Word document  
4 pages
START HERE!  Creative ideas to boost your security awareness program

2.      Awareness seminar on malware
MS PowerPoint presentation   15 slides with speaker notes
Outlines today’s malware threats,
plus pragmatic advice on
how to reduce the risk

3.      Awareness posters on malware
3 high-resolution JPG images
Eye-catching images

4.      Awareness briefing on malware 2018
 8 pages
+ cover
Written to accompany the seminar, or to circulate on its own merits

5.      Malware hit parade
  1 page
Outlines 5 types of malware and
5 notable malware incidents

6.      Malware scam busters
 6 x 2 pages each
Double-sided leaflets covering computer viruses, cryptominers, spyware, APTs, bank Trojans & ransomware, with news

7.      Ransomware advisory
 1 page
What to do it your computer/device is being held to ransom

8.      Computer virus leaflet
 2 pages
Simple double-sided informative leaflet

9.      Case study on malware
 2 pages
Draws on a genuine malware incident, reported in the news

10.  Wordsearch puzzle on malware
 with solution
The grid hides well over 100 malware terms: how many can you find?

11.  FAQ on malware
 1 page
A simple one-side Q&A format

12.  Awareness challenge on malware
 1 page
A creative, fun challenge to get people thinking and interacting on malware

13.  Awareness survey on malware
 1 page
Measure awareness and gather feedback

14.  Awareness test on malware
 1 page
Are your awareness materials and activities getting the key points across?

15.  Hyperlinked information security glossary
 316 pages (!)
New terms include false flag, Coinhive, cryptominer, cryptojacking, Hiddad, Kedi and Xafecopy; malware entries are shown in red throughout the glossary

Stream B: security awareness materials for managers
16.  Diagrams for malware
 20  MS Visio drawings (!)
Visual representations of various aspects of the malware threat

17.  Management seminar on malware
 18 slides with speaker notes
Discusses the evolving malware threat

18.  Board agenda on malware
 1 page
Get senior management talking about the strategic aspects of malware

19.  Elevator pitch on malware
 1 page,
~80 words
If you had a fleeting chance to discuss malware with management, what would you say?  This document is a prompt

20.  Model policy on malware
 5 pages
Generic policy template, needs customization to suit your requirements

21.  Exec briefing on malware
 1 page
Looks as the strategic, governance and management aspects

22.  Management briefing on malware
 3 pages
+ cover
Quite succinct, explains cryptomining malware and other topical concerns

23.  Job description for a malware analyst
 1 page
Outlines this specialist rĂ´le and the skills/competences typically required

24.  Management briefing on malware metric
 5 pages
A discussion paper suggesting several ways to measure malware risks and controls

Stream C: security awareness materials for professionals
25.  Newsletter on malware
 4 pages
Uses recent news clippings and topical quotations for an update on malware

26.  Professional seminar on malware
 19 slides with speaker notes
A slightly more technical take on malware

27.  Professional briefing on malware
 4 pages
+ cover
A relatively short and sweet update this year, an overview for perspective

28.  Internal Controls Questionnaire on malware
 9 pages
Evaluate the organization’s malware-related information risks and controls

I'm particularly pleased with the poster image above, designed to accompany the staff seminar:
Malware The Movie Part XIV:
Invasion of the Cryptominers
While the surface was strangely calm,
far underground the crypt took shape

I had in mind those lurid cult classics such as Invasion of the Bodysnatchers, Friday the Thirteenth or the sinister Hammer horrors with Christopher Lee & co. Our graphics wizz married the concept of a horror movie poster with an image representing digital currency and Bitcoin, bringing it bang up to date. Nice work!  

It's "part XIV" because there are (at least!) 13 other recognized types or families of malware already, conveniently averaging about one per year that we've been churning out the 'malawareness' content. 

I wonder what horrors will feature in the module this time next year? Will it creep you out if I suggest that, whatever it might turn out to be, it is probably already in the wild, right now?

Don't forget to check under the keyboard tonight, and keep a firm grip on the mouse.  Sleep tight.

27 Feb 2018

NBlog February 27 - the bigger picture

The NoticeBored awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago.  

It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause, the tip of a very chilly iceberg.

Q: How do systems get infected with cryptominers?  

A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them.

Q: How do the crooks benefit?

A: Victims generate money for them, plainly ... but they also expose themselves and their systems to further compromise and exploitation.  Ahhhh.

There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'.  You'd have thought being suckered once was enough to put people on their guard but it seems not: victims have marked themselves out as vulnerable. "I'm down, kick me again".

I'll leave it there for today as we need to finish the module.  Maybe tomorrow I'll have time to blog about the similarities between today's Bitcoin boom and the pyramid or Ponzi schemes of yore.

25 Feb 2018

NBlog February 25 - malware update 2019?

The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams.

Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences. 

Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say.

Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to devastating and in some circumstances life-threatening forms ... and yet it is virulent (it spreads widely and rapidly) and weakens the host (aside from running the cryptomining software, what else might be going on in the background?).

Perhaps next March when we refresh the malware module yet again, we'll pick up on the biological similarities by bringing up MRSA "superbugs" that have the healthcare and pharmaceutical industries and authorities worried. What will we do if/when our antivirus controls fail us? What is the cybersecurity equivalent of 'deep cleaning the ward' using bleach, with palliative care for patients whose infections we simply cannot treat? If it came down to it, how would we fully isolate and treat an organization whose malware infection seriously threatens the rest of us? Who has the ability, and the authority, to turn off life-support or flip the kill-switch?

It would be good to have kick-started the thinking and planning early, before we find ourselves wallowing around in brown stuff. Security awareness isn't purely about learning from the past, or even the present.

Either way, I'm confident that in a year's time there will be something new and pressing to raise!

22 Feb 2018

NBlog February 22 - responsible disclosure

Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.

As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.

The infection was identified back in September 2017, and eradicated within 4 days of detection.

Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data. 

Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).

They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.

Anyway, there we go: a relevant little news clip to share and explain through the awareness program, for people to discuss and contemplate. We can use it in the awareness slide decks, briefing papers and maybe as a case study. There are aspects of interest to the general staff audience, to management, and to the professionals/specialists, so we get three times the value from one story. Cool!

20 Feb 2018

NBlog February 20 - awareness in small doses

Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.

At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for NoticeBored customers to solicit tips from their colleagues who have suffered malware incidents recently.  

The idea is for the security awareness people to:

  • Find out what happened, to whom, when and how;
  • Speak, discreetly, to the people involved or implicated in the incidents;
  • Explore the consequences, both for the business and for them personally;
  • Tease out the tips - lessons worth sharing with others;
  • Share them.
Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.

Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?

So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:
"Find out about malware incidents from those involved, and share the lessons as part of your awareness program." 
While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.

17 Feb 2018

NBlog February 17 - The I part of CIA

Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:
  • Completeness of information;
  • Accuracy of information;
  • Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);
  • Timeliness (or currency or ‘up-to-date-ness’) of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);
  • Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd’s rules within the DBMS);
  • Honesty, justified credibility, trust, trustworthiness, ‘true grit’, resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);
  • Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …
  • … leading into ethics, professional standards of good conduct, ‘rules’, compliance and more.
The full breadth of meanings and the implications of “integrity” are the key reason I believe it deserves its place at information risk and security’s high table, along with confidentiality and availability. However, for some people in the field (perhaps a greater proportion of non-native English speakers?), it evidently has a much more restricted meaning, hence the reason for the note to this definition of information security:
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved."

Those additional properties, and more, are to me all part of “integrity” (plus availability in the case of “reliability”).

By the way, Donn Parker has argued for years (decades!) that the CIA triad is deficient. Aside from the vagueness of “integrity” which is at least partially addressed by that note, Donn points out that there are other, materially different properties or requirements or features of information that are also an integral part of the domain, such as ownership and control – and I must say I think he’s right. A significant part of privacy, for example, is the concept that we data subjects own and hence have a right to control or choose how our personal information is used, disclosed, stored, maintained and disposed of, regardless of who actually has possession of it at any moment, and regardless of the fact that we may have chosen to disclose it to them, or failed to prevent them accessing it (e.g. by standing naked at a window!). That, for me, goes beyond CIA, although some would say it falls under responsibility, accountability and trust which is part of integrity, and of course there is a confidentiality angle. Regardless of the official/academic definitions, it’s an intriguing perspective.